﻿# Configure SAML-based claims authentication with AD FS in SharePoint 2013
# http://technet.microsoft.com/en-us/library/hh305235(v=office.15).aspx
# http://www.kbasrai.com/b/2013/06/16/configure-sharepoint-to-use-adfs-in-3-easy-steps
# https://dirteam.com/tomek/2010/05/13/adding-claim-mapping-to-existing-provider-in-sps-2010/

# import the parent certificate of the token signing certificate (that is, the root authority certificate)
# Add the SharePoint PowerShell snap-in
if (-not (Get-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue)) {
    Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
}

$root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("<PathToParentCert>")
New-SPTrustedRootAuthority -Name "Token Signing Cert Parent" -Certificate $root
# import the token signing certificate that was copied from the AD FS server
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("<PathToSigningCert>")
New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert

# create the UPN claim mapping
$upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "账号" -SameAsIncoming

# create the role claim mapping 
$roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "角色" -SameAsIncoming


#$realm = "urn:sharepoint:<WebAppName>"
$realm = "http://hr.erp.cnpc/_trust/"

#$signInURL = "https://<YourADFSServerName>/adfs/ls"
$signInURL = "https://<STSServerUrl>/"

# Include $roleClaimMap and $sidClaimMap in the list of ClaimsMappings for server-to-server authentication scenarios.
$ap = New-SPTrustedIdentityTokenIssuer 
		-Name "<ProviderName>" 
		-Description "<ProviderDescription>" 
		-realm $realm 
		-ImportTrustCertificate $cert 
		-ClaimsMappings $uidClaimMap,$roleClaimMap
		-SignInUrl $signInURL 
		-IdentifierClaim $upnClaimMap.InputClaimType
$ap.UseWReplyParameter = 1;
$ap.update();